Tuesday, December 23, 2014

A Lot of Smart People Think North Korea Didn't Hack Sony by Sam Biddle plus view of Anonymous on Sony Hack

Democracy and Class Struggle is aware of a massive cyber attack on North Korea has punishment for the Sony attack, however the US rush to judgement over North Korean involvement in the attack does not fit with the evidence

The evidence linking agents of the Democratic People's Republic of Korea to the recent digitalimplosion of Sony remains vague.

And even though the feds are squarely blaming North Korea, many security experts aren't buying it.

Long before the FBI made it official, North Korean blame for the attack against Sony was taken as a given. Even if the best reason to credit Kim Jong-Un's goons was because it just sort of feels right and Hey, that movie is about North Korea, most people following the story—both in and out of the media—ran with the story. It happens to be a very politically convenient story, featuring the world's favorite cartoon henchman at the lead.

But independent, skeptical security experts have been poking holes in this theory for days now. Evidence provided by the FBI last week in an official accusation against the North Korean government was really more of a reference to evidence—all we got were bullet points, most of them rehashing earlier clues. It still doesn't seem like enough to definitively pin the attacks to North Korea.

Security consultant Dan Tentler didn't take long to brush off the FBI's points:

Expand

But the weightiest rebuttal of the case against North Korea has come from renowned hacker, DEFCON organizer, and CloudFlare researcher Marc Rogers, who makes a compelling case of his own. Highlights below:

The broken English looks deliberately bad and doesn't exhibit any of the classic comprehension mistakes you actually expect to see in "Konglish". i.e it reads to me like an English speaker pretending to be bad at writing English.

[...]

It's clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony's internal architecture and access to key passwords. While it's plausible that an attacker could have built up this knowledge over time and then used it to make the malware, Occam's razor suggests the simpler explanation of an insider. It also fits with the pure revenge tact that this started out as.

Furthermore, "The attackers only latched onto "The Interview" after the media did – the film was never mentioned by GOP right at the start of their campaign.

It was only after a few people started speculating in the media that this and the communication from DPRK "might be linked" that suddenly it became linked."

What the FBI is essentially saying here is that some of the IP addresses found while analyzing the malware samples and the logs of the attack have been used in the past by North Korea. To me, this piece of evidence is perhaps the least convincing of all. IP addresses are often quite nebulous things. They are addresses of machines connected to the Internet. They are neither good, nor bad.

The IP address is never what is interesting. It's what's running on the system that has that IP address that is interesting. Furthermore, to imply that some addresses are permanent fixtures used by North Korean hackers implies a fundamental misunderstanding of how the internet works and in particular how hackers operate.

[...]

So where does that leave us? Well essentially it leaves us exactly where we were when we started. We don't have any solid evidence that implicates North Korea, while at the same time we don't have enough evidence to rule North Korea out. However, when you take into consideration the fact that the attackers, GOP, have now released a message saying that Sony can show "the Interview" after all, I find myself returning to my earlier instincts – this is the work of someone or someones with a grudge against Sony and the whole "Interview" angle was just a mixture of opportunity and "lulz".

Today Sony canceled the premiere of “The Interview” and its entire Christmas-Day release of the…Read more wired.​com

But in their initial public statement, whoever hacked Sony made no mention of North Korea or the film. And in an email sent to Sony by the hackers, found in documents they leaked, there is also no mention of North Korea or the film. The email was sent to Sony executives on Nov. 21, a few days before the hack went public. Addressed to Sony Pictures CEO Michael Lynton, Chairwoman Amy Pascal and other executives, it appears to be an attempt at extortion, not an expression of political outrage or a threat of war.

"[M]onetary compensation we want," the email read. "Pay the damage, or Sony Pictures will be bombarded as a whole. You know us very well. We never wait long. You'd better behave wisely."

First, the "evidence" is of the most conclusory nature – it is really just unconfirmed statements by the USG. Second, on its face the evidence shows only that this attack has characteristics of prior attacks attributed to North Korea. We know nothing about the attribution veracity of those prior attacks. Much more importantly, it is at least possible that some other nation is spoofing a North Korean attack. For if the United States knows the characteristics or signatures of prior North Korean attacks, then so too might some third country that could use these characteristics or signatures – "specific lines of code, encryption algorithms, data deletion methods, and compromised networks," and similarities in the "infrastructure" and "tools" of prior attacks – to spoof the North Koreans in the Sony hack.

Third, the most significant line in the FBI statement is this: "While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following." Let us assume that the United States has a lot of other evidence, including human or electronic intelligence from inside Korea, that corroborates its attribution conclusion. This might give the USG confidence in the attribution and might support the legality of a proportionate response. But if protection of "sources and methods" prevents the United States from publicly revealing a lot more evidence, including intelligence beyond mere similar characteristics to past attacks, then there is no reason the rest of the world will or, frankly, should believe that a response on North Korea is justified. (Compare Adlai Stevenson and Colin Powell before the United Nations.)

Reporter Thomas Fox-Brewster tells me he was contacted by lena@spambog.com, one of the hacker email addresses listed in the original leak of Sony files. When he tweeted part of an email says he received from this account, his followers were dubious:

The hacking group that’s taken credit for breaching Sony’s servers and leaking their files online posted a message online Saturday mocking the FBI’s investigation.

According to a statement issued by the FBI on December 19, which was then echoed by President Obama during his year-end press conference, “the North Korean government is responsible” for hacking Sony’s servers, leaking sensitive company data online, threatening movie theaters that choose to exhibit the satire The Interview, and ultimately succeeding in getting the Kim Jong Un assassination comedy’s release pulled.
The FBI presented the following as evidence:

“Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.

The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.

Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.”

Meanwhile, North Korea has maintained their stance that they weren’t involved in the crippling cyber-attack, and have proposed a joint investigation with the U.S. authorities in finding the culprits, warning of “grave consequences” if America continues to blame the Hermit Kingdom for the hacking.

On Saturday afternoon, Guardians of Peace, the hacking group that’s so far claimed responsibility for wreaking havoc on Sony, posted a message online mocking the FBI’s investigation.
It is as follows:

“By GOP

The result of investigation by FBI is so excellent that you might have seen what we were doing with your own eyes.

We congratulate you success.

FBI is the BEST in the world.

You will find the gift for FBI at the following address.”

Then, they included a link to the following video titled “you are an idiot!”—essentially Rickrolling the FBI. The video opens with some words in Japanese, before cutting to a series of gyrating animated bodies shrieking, "You are an idiot!"

While the FBI, President Obama, and George Clooney seem thoroughly convinced that the Guardians of Peace are the work of Pyongyang—the name “Guardians of Peace” comes from a quote used by former President Richard Nixon describing South Korea—many hackers online have questioned the allocation of blame from Day One, including former Lulzsec hacker turned government information Sabu, who maintains they “don’t have the technical capabilities,” and Anonymous, who wrote, “we all know the hacks didn't come from North Korea,” and threatened to launch further hacks against Sony if they don't release the film online. Some of the world’s leading cybersecurity experts have also questioned whether North Korea is responsible for hacking Sony, claiming a decided lack of evidence or that it came from a group posing as North Korea as misdirection, such as Brett Thomas, chief technology officer of Redwood City, California-based online services company Vindicia:

President Obama, meanwhile, seems quite adamant in believing the narrative that North Korea and its leader, Kim Jong Un, were so offended by the satire The Interview, a Seth Rogen and James Franco flick which portrays the Dear Leader being assassinated, that they launched a cyber-attack on Sony as retribution, and threatened a “proportional” response by the U.S.

“The FBI announced today and we can confirm that North Korea engaged in this attack,” President Obama announced during his year-end presser on Friday. “I think it says something interesting about North Korea that they decided to have the state mount an all-out assault on a movie studio because of a satirical movie starring Seth Rogen and James Flacco [Franco]. I love Seth and I love James, but the notion that that was a threat to them I think gives you some sense of the kind of regime we’re talking about here.”

He added, “They caused a lot of damage, and we will respond. We will respond proportionally, and we’ll respond in a place and time and manner that we choose. It’s not something that I will announce here today at a press conference.”